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DETAILED ACTION 

Response to Amendment 

1 . This Office Action is in response to the Amendment filed on September 27 th , 2005. 
Claims 1-30 are now pending in the application. 

Drawings 

2. The corrected or substitute drawings were received on September 27 th , 2005. These 
drawings are acceptable by the Examiner. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or 
on sale in this country, more than one year prior to the date of application for patent in the United States. 

4. Claims 1-3, 5-6, 13, 18, 21-23 and 25-26 are rejected under 35 U.S.C. 102(b) as being 
anticipated by Boebert et al. (U.S. 5, 822,435; hereinafter refer as 'Boebert'). 

- In regard to claims 1 and 21, Boebert discloses in Figs. 1-6 and in the respective 
portions of the specification about the computing apparatus (For example see Fig. 2; Abstract; 
col. 3, lines 20-40; col. 4, lines 33-39), which comprises the trusted hardware module ("trusted 
path subsystem"; For example see Figs. 2-4; col. 4, lines 33-39) resistant to unauthorized 
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modification (For example see col. 2, lines 27-38), a plurality of further hardware modules 
("workstation processing unit, display with video manager, keyboard with keyboard manager 55 ; 
For example see Figs. 1-4), the shared communication infrastructure ("paths 44, 46 55 which 
connect the workstation processing unit to the display/video manager, keyboard/keyboard 
manager and to the multilevel secure computer through the network 50) by which the hardware 
modules can communicate with each other (For example see Figs. 1-4; col. 2, lines 1-4; wherein 
the workstation processing unit communicates directly with the display/video manager, 
keyboard/keyboard manager) and the first communication path distinct from the shared 
communication infrastructure ("separate data path 55 or "auxiliary data path 5 '; For example see 
Figs. 3-4; col. 4, lines 33-39), by which the first one of the further hardware modules can 
communicate directly with the trusted hardware module but cannot communicate directly with 
any other of the further hardware modules (For example see Figs. 3-4; col. 4, lines 33-50; 
wherein the workstation processing unit communicates with display/video manager, 
keyboard/keyboard manager through the trusted path subsystem). 

- Regarding claims 2 and 22, in addition to features in base claims 1 and 21 (see 
rationales pertaining the rejection of base claims 1 and 21 discussed above), Boebert further 
discloses wherein the trusted hardware module ("trusted path subsystem 55 ) and the first further 
hardware module ("workstation processing unit 5 ') each include a respective computing engine 
("processor"; For example see Figs 3-4; wherein it is inherent that the workstation processing 
unit has its own processor for processing the application for the workstation unit) which partakes 
in the direct communication via the first communication path. 
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- In regard to claims 3 and 23, in addition to features in base claims 1 and 21 (see 
rationales pertaining the rejection of base claims 1 and 21 discussed above), Boebert further 
discloses wherein the first further hardware module is operable to supply to the trusted 
hardware module the request for operation on data ("trusted path mode"; For example see col. 
5, lines 17-32; wherein the workstation invokes trusted path mode through different number of 
ways as disclosed in col. 5, line 66 through col. 6, line 10; e.g. 'request for operation on data") 
and in response to such a request, the trusted hardware module is operable to generate a 
response ("feedback mechanism"; For example see col. 6, lines 8-10) and to supply the response 
to the first further hardware module via the first communication path and not via the shared 
communication infrastructure (For example see Figs. 3-4; col. 5, lines 27-32). 

- Regarding claims 5-6 and 25-26, in addition to features in base claims 1 and 21 (see 
rationales pertaining the rejection of base claims 1 and 21 discussed above), Boebert further 
discloses wherein the trusted hardware module is operable to generate an encryption and/or 
decryption key ("pair- wise key" or "public key") and supply that key to the first further 
hardware module via the first communication path and not via the shared communication 
infrastructure (For example see col.5, lines 52-65); and wherein the first further hardware 
module is operable to use the key for encryption and/or decryption of data communicated via the 
shared communication infrastructure (For example see col. 4, line 51 through col. 5, line 2). 
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- In regard to claims 13 and 18, in addition to features in base claims 1 and 21 (see 
rationales pertaining the rejection of base claims 1 and 21 discussed above), Boebert further 
discloses about the second and third communication paths, distinct from the shared 
communication infrastructure and the first communication path, by which the second one of the 
further hardware modules can communicate directly with the trusted hardware module but 
cannot communicate directly with any other of the further hardware modules ^'second and third 
communication paths"\ For example see Figs. 3-4; wherein the display and keyboard connect to 
the video and keyboard managers, and then connect to the multi-level secure computer via 
network interface 39 and network 50). 

Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claims 4, 7-12, 14-17, 19-20, 24 and 27-30 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Boebert et al. (U.S. 5,822,435; hereinafter refer as 'Boebert'). 

- In regard to claims 4 and 24, Boebert discloses all the subject matter of the claimed 
invention as discussed above about the computing apparatus (For example see Fig. 2), which 
comprises the trusted hardware module ("trusted path subsystem"; For example see Figs. 2-4) 
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resistant to unauthorized modification, a plurality of further hardware modules ("workstation 
processing unit, display with video manager, keyboard with keyboard manager"; For example 
see Figs. 1-4), the shared communication infrastructure ("paths 44, 46") by which the hardware 
modules can communicate with each other and the first communication path distinct from the 
shared communication infrastructure ("separate data path" or "auxiliary data path"), by which 
the first one of the further hardware modules can communicate directly with the trusted 
hardware module but cannot communicate directly with any other of the further hardware 
modules (For example see Figs. 3-4); including the storage device {'means for storing') and the 
capable of recognizing classified information of varying sensitivity and different levels of users 
access of the multi-level secure computer (For example see Figs. 1-2; col. 1, lines 20-27; col. 2, 
lines 15-25; col. 7, lines 27-44). Though, Boebert does not explicitly disclose about "policy 
information"', however, in order to recognizing classified information of varying sensitivity and 
different levels of users access, the multi-level secure 'MLS' computer (see Figs. 1-2) has to 
store information about different levels to access to the secure subsystem, eg: "policy 
information", to provide the access right to users. 

- Regarding claims 7-8, 20, 27-28 and 30, in addition to features in base claims 1 and 21 
(see rationales pertaining the rejection of base claims 1 and 21 discussed above), Boebert further 
discloses wherein the trusted hardware module is operable to generate a challenge and to supply 
the challenge to the first further hardware module via the first communication path or via the 
shared communication infrastructure using encryption set up using the first communication path 
(For example see col. 6, lines 26-39; wherein, in order to access the system, the user from the 
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workstation has to authenticated himself to the secure subsystem, where the "challenge" from the 
subsystem such as the login window is obvious and well known in the art); and wherein, in 
response to the challenge, the first further hardware module is operable to generate a response 
and to supply the response the trusted hardware module via the first communication path the 
shared communication infrastructure using encryption set up using the first communication path 
(For example see col. 6, lines 26-39; wherein the user provides the personal identification 
number TIN', password, biometric or token device to authenticate himself to the subsystem in 
order to access the secure system). Though, Boebert does not explicitly disclose about "integrity 
metric"\ however, it is obvious that information such as personal identification number TIN 5 , 
password, biometric or token device are used to authenticate the user to the secure subsystem and 
are the "integrity metric", which create and store by the trusted system, in order to provide 
classified information of varying sensitivity and different levels of users access right for different 
user. 

Thus it would have been obvious to the person of ordinary skill in the art at the time of 
the invention was made to combine the implementation "integrity metric" into the Boebert' s 
trusted subsystem, with the motivation being to provide classified information of varying 
sensitivity and different levels of users access right for different user. 

- In regard to claims 9-12 and 29, in addition to features in base claim 1 (see rationales 
pertaining the rejection of base claim 1 discussed above), Boebert does discloses about the 
trusted ("zone for private data") and untrusted subsystem ("zone for non-private data") in the 
multi-level secure computer (For example see Figs. 1-2); and wherein the workstation has 
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different levels of security (For example see col. 6, line 60 through col. 7, line 12) and different 
paths ("network interface module"; For example see Figs. 3-4) for receiving/transmitting data on 
normal mode, e.g. "non-private data" or non-secure, and trusted path mode, e.g. "private data" 
or secure (For example see Figs. 3-4); but fails to explicitly disclose about the different zones for 
receiving/transmitting data on normal mode and trusted path mode. However, it is obvious that 
configuring different "zones" for "private data" and "non-private data" is just system 
engineering choices to provide secure on transmitting or receiving data from different zones with 
different levels of security. 

Thus it would have been obvious to the person of ordinary skill in the art at the time of 
the invention was made to combine the implementation the different zones for different levels of 
security for the Boebert's secure system, in order to provide secure on transmitting or receiving 
data from different zones with different levels of security. 

- Regarding claims 14-16, in addition to features in base claim 1 (see rationales 
pertaining the rejection of base claim 1 discussed above), Boebert does discloses wherein the 
first further hardware module is operable to supply to the trusted hardware module a request for 
a transfer of data between the first and second further hardware modules ("trusted path mode"; 
For example see col. 5, lines 17-32; wherein the workstation invokes trusted path mode through 
different number of ways as disclosed in col. 5, line 66 through col. 6, line 10; e.g. 'request for a 
transfer of data') and in response to such a request, the trusted hardware module is operable to 
generate a response ("feedback mechanism"; For example see col. 6, lines 8-10) and to supply 
the response to the first or second further hardware module via the first or second 



Application/Control Number: 09/9 1 3,453 Page 9 

Art Unit: 2661 

communication path, not via the shared communication infrastructure (For example see Figs. 3- 
4; col. 5, lines 27-32); including the storage device {'means for storing') and the capable of 
recognizing classified information of varying sensitivity and different levels of users access of 
the multi-level secure computer (For example see Figs. 1-2; col. 1, lines 20-27; col. 2, lines 15- 
25; col. 7, lines 27-44). Though, Boebert does not explicitly disclose about "policy information" 
as claimed in the claim invention 15; however, in order to recognizing classified information of 
varying sensitivity and different levels of users access, the multi-level secure 'MLS 5 computer 
(see Figs. 1-2) has to store information about different levels to access to the secure subsystem, 
e.g. "policy information", to provide the access right to users; and wherein the trusted hardware 
module is operable to relay the data to the second or first further hardware module via the 
second or first communication path as claimed in the claim invention 16 (For example see col. 6, 
lines 34-39). 

- In regard to claims 17 and 19, in addition to features in base claim 1 (see rationales 
pertaining the rejection of base claim 1 discussed above), Boebert further discloses about the 
processor ("main processor"; For example see Figs. 3-5; col. 8, lines 39-44) and video RAM in 
the video manager ("non-volatile data storage module"; For example see Fig. 5; col. 8, lines 51- 
63). 

Response to Amendment/Arguments 
7. Applicant's arguments filed on September 27 th , 2005 have been fully considered but they 
are not persuasive. 
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In regard to claim 1 and 21 , Applicant argues that Boebert fails to disclose, "a shared 
communications infrastructure by which the hardware modules can communicate with each 
other". Examiner respectfully disagrees. In Figure 2 (or in figure 1), Boebert clearly discloses 
the connection between the workstation processing unit 40 to the multilevel secure computer 60, 
through the network 50, which is the shared communications connection where the hardware 
modules such as display, keyboard, workstation processing unit, . . . can communicate to the 
trusted and untrusted subsystem of the multilevel secure computer, e.g. "a shared 
communications infrastructure by which the hardware modules can communicate with each 
other". Therefore, Examiner concludes that Boebert teaches the arguable feature. 

Claims 2-20 and 22-30 are rejected as in Part 4 and 6 above of this Office action and by 
virtue of their dependence from claims 1 and 21. 

Conclusion 

8. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is 
reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
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CFR 1 . 1 36(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tri H. Phan, whose telephone number is (571) 272-3074. The 
examiner can normally be reached on M-F (8:00-4:30). 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Chau T. Nguyen can be reached on (571) 272-3126. 

Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 

Washington, D.C. 20231 

or faxed to: 

(571) 273-8300 

Hand-delivered responses should be brought to Randolph Building, 401 Dulany Street, 
Alexandria, VA 22314. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the Technology Center 2600 Customer Service Office, whose telephone 
number is (571) 272-2600. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
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applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




Tri H. Phan 
December 12, 2005 



